Users can scan their Google Cloud compute engine instances along with all other global elastic cloud and on-premise assets from within the Qualys Cloud Platform. Qualys Virtual Scanner Appliance can be directly deployed from the Google Marketplace.

Prerequisites

1) You require a Qualys subscription to able to complete the deploy successfully. If you do not have an active Qualys subscription, contact Qualys Support or sign up on the Qualys website.

2) Get a personalization code from your Qualys subscription to register every new appliance instance. For detailed steps, scroll down to the section "Generating a Personalization Code".3) For Customers on Private Cloud Platforms requires SAS link to download qVSA image.

Some things to consider...

The following features are not supported and are disabled in all cloud (private and public) platforms:

WAN/Split network SETTINGS - “WAN Interface” option for split network settings is not available from Scanner UI/console. Only LAN/single network settings from Cloud UI, used for both scanning and connecting to Qualys servers, are supported

NATIVE VLAN - “VLAN on LAN” option for configuring Native VLAN is not available from scanner UI/console

STATIC VLAN (IPV4 AND IPV6) - "VLANs" option for configuring static VLANs is not available from Qualys UI

STATIC ROUTES (IPV4 AND IPV6) - Option to configure “Static Routes” is not available from Qualys UI

IPV6 ON LAN - Option to configure “IPv6 on LAN” is not available from Qualys UI

About managing instances

Instance Snapshots/Cloning Not Allowed

Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly prohibited. The new instance will not function as a scanner. All configuration settings and platform registration information will be lost. This could also lead to scans failing and errors for the original scanner.

Moving/Exporting Instance Not Allowed

Moving or exporting a registered scanner instance from a virtualization platform (HyperV, VMware, XenServer) in any file format to a GCE cloud platform is strictly prohibited. This will break scanner functionality and the scanner will permanently lose all of its settings.

Generating a Personalization Code

Get a personalization code from your Qualys subscription to register every new appliance instance.

Proxy URL: Add the proxy server URL to communicate with Qualys Cloud Platform via SSL proxy. We support both IP and FQDN for the proxy server configuration. Specify the proxy server URL as username:password@proxyhost:port

Formatting:If you have a domain user, the format is domain\username:password@proxyhost:portIf authentication is not used, the format is proxyhost:portwhere proxyhost is the IP address or the FQDN of the proxy server and port is the proxy port

Examples:

jdoe:abc12345@10.40.1.123:3128jdoe:abc12345@myproxy.qualys.com:3128

Machine type: The default pre-set is 2 vCPUs and 7.5 GB and can be customized. Note: The appliance supports a maximum of 16 cores and 16GB memory. For customization, choose core to memory in the ratio of 1:3.5.

Name: Provide the unique name to identify the Qualys Scanner appliance ImageSource: Select “Cloud Storage File” which will allow you to select the Qualys Scanner image file stored in Storage Bucket. In the image, qualys-scanner is a bucket name and qVSA-GCE-xxxxxxx.tar,gz is the Qualys scanner image file.

5) Generate a Personalization code. Follow the steps on how to generate a personalization code earlier in this document.

6) Deploy Qualys Virtual Scanner Appliance Instance.

Deployment name: It is advised to specify the same name used in Qualys UI while generating a personalization code.

Zone: Select a zone that will co-locate the scanner instance with scan target instances. For the scanner to reach other zones, setup connectivity with appropriate network configurations is needed.

Machine type: The default pre-set is 2 vCPUs and 7.5 GB and can be customized. Note: The appliance supports a maximum of 16 cores and 16GB memory. For customization, choose core to memory in the ratio of 1:3.5.

Formatting:If you have a domain user, the format is domain\username:password@proxyhost:portIf authentication is not used, the format is proxyhost:port

where proxyhost is the IP address or the FQDN of the proxy server and port is the proxy port.

Examples:

jdoe:abc12345@10.40.1.123:3128jdoe:abc12345@myproxy.qualys.com:3128

7) Click the Create button.

Post-deployment Progress and monitoring

The appliance deployment can take up to 10 minutes. Upon deployment, the appliance will connect with the Qualys Cloud Platform to complete registration. The appliance will also download the latest software and vulnerability signatures.

You can monitor the progress of the instance creation in the GCE VM instances.

To view further progress of the appliance configuration or to diagnose any issues, look at the serial console output. Click 'Serial port 1(console)' in the logs section.

In GCE, you can also check VM status graphs for instance resources like CPU Utilization, Disk IO and Network stats:

From Qualys UI, you can check for Activation of the scanner appliance. Click 'Check Activation' in the dialog from where you copied the Personalization code.

How do I know my scanner is ready to use?

Check your virtual scanner status in the Qualys UI. Go to Scans > Appliances, and find your scanner in the list. Tip - It can take several minutes for the Qualys user interface to get updated after you add a new appliance. Please refresh your browser periodically to ensure that you are seeing the most up to date details.

tells you your virtual scanner is ready. Now you can start internal scans! (Next to this, you’ll see the busy icon is grayed out until you launch a scan using this scanner).

Diagnosing Common Errors in Scanner Deployment

Check for errors in the output in the Serial Output console.

If you find issues with the personalization code, shut down the VM, fix Metadata PERSCODE value and start it up again. If the problem persists and the appliances are not communicating with Qualys, please contact Qualys Support. Include your Qualys portal URL, username and attach the serial output logs to the support ticket.